Malicious Brain Test App Thwarts Google Play Android Security

Check Point Software Technologies researchers disclosed a new attack, dubbed Brain Test, against Android that repeatedly got into the Google Play store.

Attackers are now using increasingly sophisticated methods to get malicious applications into legitimate locations. The latest incident is a new attack against the Google Play store in which a malicious app was able to get past Google's security—not once, but twice. The malicious app is called Brain Test, and prior to its removal by Google on Sept. 15 had as many as 1 million users.
According to Check Point Software Technologies, the Brain Test malware is able to place a rootkit on an infected Android device, enabling an attacker to run arbitrary code. There are multiple security mechanisms in place in Android and the Google Play site to prevent malware from running, yet the BrainTest malware was able to avoid them all using a number of different techniques.
Check Point's emulation engine caught the exploitation phase of the BrainTest malware, said Michael Shaulov, head of mobile threat prevention at Check Point. That is, the malware was detected when the app was running the exploits against the kernel of the emulating device.
Breaching Android security is no trivial matter, and the BrainTest malware includes four different privilege-escalation exploits in order to gain root access on a device. Shaulov noted that the need for four exploits has to do with the Android device fragmentation.

"Different flavors of Android and different devices require different exploits because the kernel or drivers that are vulnerable are different," Shaulov told eWEEK. "As an example, one exploit will successfully work on a Galaxy S4 device running Android 4.4 while another exploit will run successfully on a Google Nexus device running Android 5."

The inclusion of multiple privilege-escalation exploits is a similar concept to how exploit packs run against Web browsers: Cyber-criminals will pack multiple exploits (one for Internet Explorer 11, one for Internet Explorer 9, one for FireFox and one for Chrome) and will try to run them against the various browsers accessing the infected Website, Shaulov explained.
From a malware payload perspective, there is a command and control infrastructure associated with the Brain Test malware, Shaulov said. It currently looks like the main purpose of the command and control is to overlay aggressive advertisements on the device and install additional applications, he added.
"Given the architecture of the malware, it can be repurposed any time, as the execution logic is downloaded from the command and control," Shaulov said.
Check Point identified two apps called Brain Test that were uploaded to Google Play using two different app packages: com.zmhitlte.brain and com.mile.brain. While Google has since removed the apps, there is some indication that the malware is still present in non-Google Play Android apps stores, Shaulov said.
Google has a technology called Verify Apps that is used to scan Android devices for potential malware that may have come from non-Google Play sources. Shaulov noted that Check Point didn't check if Verify Apps protects against Brain Test.
"In general, verify apps only checks against known hashes, so any permutation of the malware will not be identified by Google's Verify Apps," Shaulov said.
Fixing the root cause of the Brain Test malware can be difficult and isn't about any one single vulnerability.
"[Brain Test] uses multiple approaches and CVEs [Common Vulnerabilities and Exposures] from multiple vendors, and Google cannot patch this issue," Shaulov said.
It's still unclear who is responsible for the Brain Test malware though Shaulov said the origin appears to be Chinese.
Attackers in China also have been busy in recent weeks going after Apple's App Store. Apple is pulling at least 39 apps after the XcodeGhost malware was discovered that made use of a fraudulent Xcode development tool to infect applications.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.